Your Finger Swipe Could Become Your Password

BROOKLYN, N.Y. – To log into the new iPad app she made, computer science student Napa Sae-Bae held her hand open, touched her fingertips to the tablet's surface, then drew her fingers together until they met in the center. Her app analyzed the way she performed the gesture — the speed of her swipe, the angles between each fingertip — to decide whether to let her in. A moment later, a yellow smiley face popped up, indicating that she could access the app.

She then offered the iPad to me. On-screen, the app showed green tracks so I could drag my fingers along the same lines Sae-Bae did. Our hands are similar in size, so her hand-spread matched mine. Yet while I moved along the tracks, I noticed their paths felt uncomfortable and unnatural to me. Once I finished the gesture, I got a green frowning face to show I was locked out.

In two recent studies, Sae-Bae, who is studying for her doctorate at the Polytechnic Institute of New York University, has found that apps such as these could be secure, more memorable and more fun alternatives to passcodes and passwords. Sae-Bae's work is in its early stages, but she and her adviser, Nasir Memon, hope that in the future, gestures and swipes will prove to be a better alternative to passwords, crafted especially for the touch screen age.

"I think we are at a window of opportunity where the interface is changing," Memon said. He and Sae-Bae recently published a paper that discussed not only the proliferation of smartphones and tablets, but also research into making fabric and paper into touch-sensitive technology. Passwords are especially difficult to type into touch-screen devices, Memon added.

"They have some encouraging results," Kevin Bowyer, a computer scientist at the University of Notre Dame, wrote to TechNewsDaily in an email. (Bowyer studies biology-based password alternatives, called biometrics, but was not involved in Memon's work.) Bowyer added that Sae-Bae and Memon haven't tested swipes in enough people to prove they are able to distinguish individuals in a large population, such as all the people who use an email service. But it does look like gestures are enough to keep a handful of intruders out of your tablet.

"If there was an application where you only wanted to distinguish between, say, 10 different people who are potential users of some device, then these results seem really encouraging," Bowyer said.

How it works

Even when someone tries to copy another person's gesture, there are differences in how individuals pinch, swipe and turn, Sae-Bae explained. People have different fingertip distances, tracks along which they pinch and speed of swiping.

In her latest paper, which she presented Sept. 26 at a biometrics conference hosted by the Institute of Electrical and Electronics Engineers, Sae-Bae worked on ensuring her app was lenient enough to allow for the slightly different ways the same individual may perform a gesture, while still locking out imposters who try to copy someone's sign-in gesture. "You need to find a good balance," Memon said. [SEE ALSO: Computer IDs Culprits with Tattoo Recognition]

Sae-Bae tested 22 different gestures, including the five-finger pinch that I tried to copy from her. After gathering data from 34 study volunteers, she found that on average, gestures had about a 4 percent equal error rate, a standard measure of error in biometrics that takes into account false lockouts as well as false sign-ins. Smaller equal error rates are better.

Previously, in a paper Sae-Bae presented at an Association for Computing Machinery conference in May, she described another interesting finding. For that study, she asked volunteers to make 22 gestures on an iPad and rank which one was most fun to make. The more fun ones happened to be the most secure ones, she found. This is the polar opposite of what happens with text passwords, she said.

An uncertain future

There are still many tests ahead for Sae-Bae's app before it shows up in commercial devices. "It's still far from something grandpa and grandma will use," Memon said.

Sae-Bae will need to check if people easily remember the gestures they choose to replace their passcode, Memon said. One of the problems the researchers are trying to solve is the difficulty of remembering secure passwords.

The researchers are also still analyzing data to see whether their app will still recognize a person's pass-gesture a week after the person set it up.

If the app fails those upcoming tests, it may still find its time in the future, depending on whether device manufacturers improve the touch sensors in their products, giving the app more information with which to work, Sae-Bae said.

The Memon lab may also move on to another password replacement or supplement. One way or another, Memon thinks, the passwords of the future will include biometric measures. "It's there, it's with you," he said. "There are no secrets you have to carry around in your pocket." Plus, he said, consumer devices are incorporating more and more sensors that could be used for biometrics. "Why not use it to capture some biometric-based password?"

This story is part of a series about exotic biometrics — unexpected ways that researchers are working on to identify people by their biological features. "It is important to keep track of the new/unusual/not-yet-much-studied things, because this is where the next big things come from," Kevin Bowyer, chair of the computer science and engineering department at the University of Notre Dame, told TechNewsDaily. "Of course, most exotic things never become big. But history says that some will."

Bowyer served as a reviewer for a biometrics conference held Sept. 24 through Sept. 26. He helped choose some of the research we'll examine in this series, which will not feature his own work.

His own area of expertise, iris scanning, was considered exotic 20 years ago, he added.